9. WEB APPLICATION AND BROWSER SECURITY Exploitation of Web application vulnerabilities is quickly becoming most hackers’ favorite method of breaking into corporate data stores. Many organizations spend tons of money on firewalls and network security, only to undo it all by opening up holes in the network via Web application portals. Unfortunately, most of them are not doing a good job of baking security into the code of these applications.

Fundamentally, Web application security must be approached by properly training your developers in how to code securely. But that will take time, and mistakes can still crop up, which is why many organizations, such as Sequoia Retail Systems, are also using Web application firewalls as a stopgap measure.

“What it gives us is an ability to stop a threat or prevent a threat until the software can actually be fixed,” explains Bowers, who says Sequoia uses Breach Security Web Defend. “With a Web app firewall there are things you can do with prevention. You can do TCP resets and blocking and use other methods of preventing access to that vulnerability so that you’re actually securing the Web site until you can fix the code.”

And organizations aren’t the only ones that suffer from Web-based attacks. A company’s customers can also be victimized by identity theft through a combination of user error and browser-side vulnerabilities.

Rob Weaver, head of IT security for ING Direct, believes that many security problems in the banking industry stem from customer-side attacks, such as phishing. The company, a unit of ING in Amsterdam, the Netherlands, adopted a third-party product from Trusteer to protect the machines of customers who choose to opt in. The product ensures that every time a customer attempts to log in to ING’s site, that individual is really logging in to ING and not to a phishing site

“Without your customers, there is no company,” Weaver points out. “What greater resource do we have to protect?”

10. ENCRYPTION Encryption of high-priority information should be an integral part of any full-fledged information security program. Many of today’s biggest breaches could have been relegated to the “non-event” category if the affected organizations had implemented encryption to protect their data.

While encryption implementations can sometimes be costly and complicated, you can start simply by instituting whole disk encryption of laptops. Unencrypted mobile devices are one of the biggest culprits of data breaches: The Department of Veterans Affairs’ breach a few years back is a testament to that. Most importantly, though, you should be encrypting based on the risk assessments and prioritizations outlined earlier.

“I think encryption is another area that goes back to the information-centric philosophy,” says Sonnenschein’s Hansen, who employs numerous encryption products for data at rest and in transit. “I think encryption does protect the information, so I’m not going to cut corners on what I spend on encryption.”

Encryption may be a less expensive option in the coming years, as technology vendors make improvements to open standards for key management, which has long been an obstacle to across-the-board encryption implementations. Most recently, a coalition of vendors including EMC, Hewlett-Packard and IBM bande